Skip to main content
New feature

Security Scanning for monday code

Related products:Apps Frameworkmonday code
  • December 15, 2025
  • 3 replies
  • 111 views
Shahar-monday
Forum|alt.badge.img

We are introducing a new Security Scanning capability in the monday code deployment pipeline, now available for all monday developers.

This feature analyzes your deployment for vulnerabilities across both dependencies and code. Each scan generates a structured JSON report and a clear CLI summary, making it easier to understand issues and take action when needed.

What the feature includes

  • Deploy with automated security scanning using code:push -s
  • Get a clean, human-readable summary of findings with code:report
  • Download the full JSON scan results using code:report -o
  • Identify issues efficiently with file paths, line references, severity indicators and links to relevant CVEs or rule documentation

Scans are informational-only and do not block deployments, giving you a frictionless way to explore the feature while strengthening your app’s security.

We’d appreciate your feedback on report clarity, severity categorization and how well this integrates into your deployment workflow through this thread.

Read the docs here & enjoy coding,

Shahar from Apps Framework

 

    3 replies

    dvdsmpsn
    Forum|alt.badge.img+1
    • dvdsmpsn
    • Participating Frequently
    • December 15, 2025

    @Shahar-monday what are you using to generate this report? Is it Trivy?

    We currently have our own security scanning for the following which run on each commit:

    • secret detection
    • SAST
    • dependency scanning

    I’m just wondering what you provide that we might be missing, and what tools you use under the hood to produce this reporting.

    Is there perhaps something that should be standardised for all app vendors?

    What are others using that could benefit all?

    Shahar-monday
    Forum|alt.badge.img
    • Shahar-monday
    • Author
    • monday.com Team Member
    • December 16, 2025

    @dvdsmpsn Thanks for the questions! Our goal with the built-in scanner is to provide a standardized baseline for all app developers, regardless of what tools you already use. We currently run two engines: OpenGrep, which performs SAST-style pattern analysis and secret detection, and Trivy, which handles dependency vulnerability scanning and CVE detection. Even if you’re already using similar tools in your own pipeline, this gives monday a consistent view across all apps and provides you with an additional, non-blocking layer of visibility.

    Long-term, we see this becoming a standard set of checks so all developers benefit from the same minimum level of security, while still being free to run their own preferred tooling on top. Happy to share more if helpful!

      dvdsmpsn
      Forum|alt.badge.img+1
      • dvdsmpsn
      • Participating Frequently
      • December 16, 2025

      @Shahar-monday Thanks for the answers.

      I think that this is a really good thing to introduce on monday code, and indeed for all marketplace apps.

      Standardised reporting over all apps in the marketplace (and private apps too) means that monday can really understand whats happening on the platform and share best practise with app developers.

      I’d envisage proactive scanning of all apps at some point and ways of encouraging app vendors/devs to update and secure their apps.

      Automated scanning could also help with the long term stability of the platform too.

        Terms & ConditionsCookie settingsAccessibility statement